LastPass Selects PasswordPing for Compromised Credential Screening

BOULDER, Colorado, May 24, 2017– Today, PasswordPing, an innovative compromised credential and breach notification service, announced a new partnership with LastPass, the pioneer and market leader in password management, to help alert and protect LastPass customers. PasswordPing’s API technology provides LastPass with a quick and easy way to screen for individual and enterprise user credentials against a database of billions of compromised credentials.

“Due to high-profile data breaches taking place each year and the billions of compromised user credentials circulated on the public Internet and Dark Web, compromised credential screening is an important way businesses and government agencies can protect their users from the risk of their accounts being hijacked,” said Josh Horwitz, COO and Co-Founder of PasswordPing.

With PasswordPing, LastPass is able to identify high risk end users and put additional security measures in place, such as email alerts and real-time in-product notifications, to block account hijacking attempts and other fraudulent activities.

Cid Ferrara, Vice President of LastPass Specialists, explained, “LastPass is proud to be partnering with PasswordPing as our definitive source for detecting users’ credentials that have been compromised. The security risk to both consumers and organizations when credentials are exposed in 3rd party breaches is very real and we strive to keep our users one step ahead. PasswordPing’s expertise and dedicated operations for compromised credentials detection make them a great partner to have.”

“We are excited to be working with LastPass as our strategic directives are well-aligned. Both PasswordPing and LastPass aim to protect users, customers and employees from fraud, account takeovers, credential stuffing and doxing, ” said Mike Wilson, CEO and Co-Founder of PasswordPing. He continued, “PasswordPing’s compromised credential services will help LastPass better inform their users when their online credentials have been exposed and should no longer be used.”

About PasswordPing

PasswordPing’s innovative compromised credential and breach notification services were created to protect corporate networks and consumer websites from unauthorized access and fraud. PasswordPing helps organizations screen user accounts for known, compromised credentials and block unauthorized authentication. PasswordPing Ltd. Is a privately held company based out of Boulder, Colorado. For more information, visit: www.passwordping.com or email info@passwordping.com.

Why is this secure?

This page, and indeed our entire business, exists to help make passwords more secure, not less. While no Internet-connected system can be guaranteed to be impregnable, we keep the risks to an absolute minimum and firmly believe that the risk of unknowingly using compromised passwords is far greater.

Since our database of compromised passwords is far larger than what could be downloaded to the browser, the compromised password check we perform must occur server-side. Thus, it is necessary for us to submit a hashed version of your password to our server. To protect this data from eavesdropping, it is submitted over an SSL connection. The data we pass to our server consists of three unsalted hashes of your password, using the MD5, SHA1, and SHA256 algorithms. While unsalted hashes, especially ones using MD5 and SHA1, are NOT a secure way to store passwords, in this case that isn’t their purpose – SSL is securing the transmitted content, not the hashes. Many of the passwords we find on the web are not plaintext; they are unsalted hashes of the passwords. Since we’re not in the business of cracking password hashes, we need these hashes submitted for more comprehensive lookups. We do not store any of the submitted data. It is not persisted in log files and is kept in memory only long enough to perform the lookup, after which the memory is zeroed out. Our server-side infrastructure is hardened against infiltration using industry standard tools and techniques and is routinely tested and reviewed for soundness.

More Information

This site is for EDUCATIONAL PURPOSES ONLY. Your password will be sent securely to the PasswordPing servers to check if it is compromised. We do not store your password or use it for any other purpose. If you are not comfortable with this, do not enter your real password.

What is this?

Password Check is a free tool that lets you determine not just the strength of a password (how complex it is), but also whether it is known to be compromised. Billions of user passwords have been exposed by hackers on the web and dark web over the years and as a result they are no longer safe to use. So even if your password is very long and complex, and thus very strong, it may still be a bad choice if it appears on this list of compromised passwords. This is what the Password Check tool was designed to tell you and why it is superior to traditional password strength estimators you may find elsewhere on the web.

Why is it needed?

If you are using one of these compromised passwords, it puts you at additional risk, especially if you are using the same password on every site you visit. Cybercriminals rely on the fact that most people reuse the same login credentials on multiple sites.

Why is this secure?

This page, and indeed our entire business, exists to help make passwords more secure, not less. While no Internet-connected system can be guaranteed to be impregnable, we keep the risks to an absolute minimum and firmly believe that the risk of unknowingly using compromised passwords is far greater. Since our database of compromised passwords is far larger than what could be downloaded to the browser, the compromised password check we perform must occur server-side. Thus, it is necessary for us to submit a hashed version of your password to our server. To protect this data from eavesdropping, it is submitted over an SSL connection. The data we pass to our server consists of three unsalted hashes of your password, using the MD5, SHA1, and SHA256 algorithms. While unsalted hashes, especially ones using MD5 and SHA1, are NOT a secure way to store passwords, in this case that isn’t their purpose – SSL is securing the transmitted content, not the hashes. Many of the passwords we find on the web are not plaintext; they are unsalted hashes of the passwords. Since we’re not in the business of cracking password hashes, we need these hashes submitted for more comprehensive lookups. We do not store any of the submitted data. It is not persisted in log files and is kept in memory only long enough to perform the lookup, after which the memory is zeroed out. Our server-side infrastructure is hardened against infiltration using industry standard tools and techniques and is routinely tested and reviewed for soundness.